Traditional risk management uses a tactical approach whereby viewing a threat as a potential event that might or might not occur and is focused on the direct consequences of that threat. In most instances, a tactical risk will directly affect program performance; the impact on a program's key objectives is most often an indirect consequence of a tactical risk. With respect to the tactical risk highlighted in below, many additional events must occur before the objectives will be directly affected.

In a tactical approach, you first identify all known risks that can adversely affect a program's performance. A risk statement is prepared for each risk and provides details on the potential for loss. Then, probability and impact are established for each risk statement, and risk exposure is determined from the individual values of probability and impact. Using this approach, the typical software program can easily identify hundreds of risk statements. To create a big-picture view of a program's risk, you must aggregate detailed risk information. Because tactical approaches rely on aggregation techniques to provide a big-picture view of risk, we refer to them as incorporating a bottom-up analysis.

Many programs are successful employing tactical approaches for managing risk. However, just as many struggle to effectively manage high numbers of risk statements. In some cases, decision makers in these programs spend too much time manipulating and analyzing risk statements and too little time actually managing their risk.